Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 57 threat intelligence reports and have compiled a concise summary of the findings, along with the pertinent metadata extracted from each report. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: DRAT V2: Updated DRAT Emerges in TAG-140s ArsenalLink: https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenalSummary: Recent investigations into the TAG-140 cyber threat campaign have identified a modified variant of the DRAT remote access trojan (RAT), named DRAT V2, which targets Indian government entities and has links to the Transparent Tribe (APT36). The campaign showcased an evolution in malware capabilities, utilizing a new command-and-control (C2) architecture that employs a custom TCP-based protocol and allows for advanced command execution. DRAT V2 shifts from a .NET to a Delphi architecture, improves C2 obfuscation, and employs spearphishing techniques using HTML applications and software vulnerabilities, primarily focusing on sectors including defense, railways, and oil. The trojan's command set facilitates detailed reconnaissance and data exfiltration, indicating a strategic advancement in TAG-140's operational flexibility, despite potential detection challenges due to basic persistence methods.Threats: drat sidecopy_group transparenttribe_group sidecopy_campaign xenorat curlback spark_rat ares_rat allakore_rat reverserat_rat broaderaspect spear-phishing_technique clickfix_techniqueIndicators of compromise:-------------------------ip: 185[.]117[.]90[.]212:7771, 154[.]38[.]175[.]83:3232, 178[.]18[.]248[.]36:6372, 38[.]242[.]149[.]89:61101domain: email[.]gov[.]in[.]drdosurvey[.]infourl: https://email[.]gov[.]in[.]drdosurvey[.]info/content/press-releases-ministry-defence-0[.]html, https://trade4wealth[.]in/admin/assets/css/default/index[.]php, https://trade4wealth[.]in/admin/assets/css/Vertical-layout-design/01/survey[.]pdf, https://trade4wealth[.]in/admin/assets/css/Vertical-layout-design/02, https://trade4wealth[.]in/admin/assets/css/Vertical-layout-design/02/ayty[.]erthash: - sha256=ce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802, - sha256=0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316, - sha256=c73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7, - sha256=830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d, - sha256=c328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60email:Title: Case of attack targeting domestic web servers using MeshAgent and SuperShellLink: https://asec.ahnlab.com/ko/88559/Summary: Recent cyberattacks have targeted domestic Windows and Linux web servers through the use of malware such as MeshAgent and SuperShell, exploiting file upload vulnerabilities to deploy web shells and establish control over infected systems. The attackers installed a backdoor known as WogRAT, linked to previous attacks, and utilized various methods for lateral movement and privilege escalation, including ASP and ASPX format web shells, network scanning tools like Fscan, and access elevation techniques through Ladon and its PowerShell variant, PowerLadon. Additionally, lateral movement was facilitated by credential theft, capturing NT Hashes of administrator accounts, thereby allowing a broader compromise of the organization's network and indicating the potential for sensitive information exfiltration or ransomware deployment.Threats: meshagent_tool supershell wograt tinyshell rekoobe_rootkit ladon_tool fscan_tool chinachopper godzilla_webshell regeorg_tool netstat_tool powerladon_tool sweetpotato_tool unc5174_group wingsofgod wmiexec_toolIndicators of compromise:-------------------------ip: 108[.]61[.]247[.]121, 66[.]42[.]113[.]183domain: linuxwork[.]neturl: http://139[.]180[.]142[.]127/Invoke-WMIExec[.]ps1, http://45[.]76[.]219[.]39/bb, http://45[.]76[.]219[.]39/mc[.]exe, http://66[.]42[.]113[.]183/acccc, http://66[.]42[.]113[.]183/kblockdhash: - md5=06ebef1f7cc6fb21f8266f8c9f9ae2d9, - md5=3f6211234c0889142414f7b579d43c38, - md5=460953e5f7d1e490207d37f95c4f430a, - md5=4c8ccdc6f1838489ed2ebeb4978220cb, - md5=5c835258fc39104f198bca243e730d57email:Title: ODYSSEY STEALER : THE REBRAND OF POSEIDON STEALERLink: https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/Summary: The CYFIRMA research team has discovered Odyssey Stealer, a sophisticated macOS-centric infostealer that utilizes the Clickfix technique to deliver malicious AppleScripts via typosquatted websites mimicking financial and cryptocurrency domains. The malware employs a deceptive kinetic approach, misleading users into executing a command that captures sensitive information such as credentials, browser cookies, and cryptocurrency wallet data, particularly targeting applications like Electrum and MetaMask. Odyssey Stealer’s command-and-control structure facilitates extensive data management for cybercriminals, linking it to the broader malware-as-a-service ecosystem, and revealing its strategic avoidance of CIS nations, a behavior commonly associated with Russian cybercriminal groups.Threats: odyssey_stealer poseidon clickfix_technique typosquatting_technique amos_stealer ping3r_actorIndicators of compromise:-------------------------ip: 188[.]92[.]28[.]186, 45[.]144[.]233[.]192, 83[.]222[.]190[.]250, 185[.]39[.]206[.]183, 45[.]135[.]232[.]33, 45[.]146[.]130[.]129, 83[.]222[.]190[.]214, 5[.]199[.]166[.]102, 194[.]26[.]29[.]217, 185[.]147[.]124[.]212, 88[.]214[.]50[.]3domain: financementure[.]com, macosapp-apple[.]com, macapps-apple[.]com, macapp-apple[.]com, republicasiamedia[.]com, emailreddit[.]com, appmacintosh[.]com, cryptoinfo-news[.]com, macosx-apps[.]com, macxapp[.]org, cryptonews-info[.]com, cryptoinfnews[.]com, odyssey1[.]to, odyssey-st[.]comurl: http://odyssey1[.]to:3333/d?u=October, http://45[.]135[.]232[.]33/d/roberto85866hash: - sha256=a0bdf6f602af5efea0fd96e659ac553e0e23362d2da6aecb13770256a254ef55email:Title: On the other side of the door. We explore the attacks of the ROOM155 groupLink: https://www.f6.ru/blog/room155/Summary: The ROOM155 group, also known as DarkGaboon and Vengeful Wolf, is a financially motivated cybercriminal organization active since 2022, focusing on Russian sectors. They employ sophisticated phishing tactics with malicious attachments, using various types of malware including Revenge RAT and XWorm, primarily targeting financial institutions. Their operational infrastructure includes diverse command and control servers, notably rampage.myvnc.com, and they utilize techniques such as disguising executable files with false extensions and exploiting legitimate resources to draw in victims. The group demonstrates high operational sophistication by using dynamic DNS for malware communication, employing registry modifications to ensure persistence, and signing malicious binaries with fake certificates, thereby enhancing their ability to infiltrate systems and exfiltrate sensitive information.Threats: darkgaboon_group xworm_rat revenge_rat avemaria_rat venomrat darktrack dcrat lockbit stealerium_stealer cryptoclipper hvnc_tool anydesk_tool dotnet_reactor_tool darktrack_rat themida_tool keilger quasar_rat blackmatterIndicators of compromise:-------------------------ip: 167[.]99[.]211[.]66, 38[.]242[.]143[.]57, 74[.]86[.]151[.]167, 151[.]236[.]28[.]98, 108[.]160[.]166[.]49, 104[.]248[.]133[.]59, 194[.]180[.]48[.]190, 45[.]8[.]147[.]217, 104[.]244[.]43[.]231, 31[.]13[.]224[.]86, 196[.]251[.]66[.]118, 151[.]236[.]15[.]36domain: kilimanjaro[.]cloudns[.]nz, kilimanjaro[.]run[.]place, kilimanjaro[.]theworkpc[.]com, kilimanjaro[.]bigmoney[.]biz, kilimanjaro[.]crabdance[.]com, kilimanjaro[.]dns[.]army, burkinafaso[.]duckdns[.]org, domain[.]online, mydnsftp[.]myftp[.]biz, tgt55w[.]ddns[.]net, rampage[.]myvnc[.]com, myhost[.]servepics[.]com, myhost[.]misecure[.]com, bs-ku[.]ru, master-22[.]ru, getfugo[.]ru, neo77mos[.]ru, sixfinger[.]ru, kgtpas[.]ru, pollymaniya[.]ru, proresell[.]ru, tutuor-priz[.]ru, bn-ki[.]ru, gdferrit[.]ru, orenhimtorg[.]ru, zeddgfd[.]ru, bl-xp[.]ru, it-loms[.]ru, saveye[.]ru, host777[.]sytes[.]net, mydnsftp[.]bizurl: https://discord[.]com/api/webhooks/1038709348303650857/DLQdA51dlH2mWOgr-jjNC0jvu25-oWapgKwxpsqsFwOSYLm4gQOEdFE6XXg7_sReK0AB, https://pastebin[.]com/raw/z9G9uZ8hhash: - md5=061f9f6b7fa035cb2cf2c5b437686b9e, - md5=0372cb4f806947727400d1937f3e8063, - md5=78d3152616dedb9801ce61015324ae8a, - md5=f9a67d8b903d4c3b27b55d1bfdd5c70c, - md5=14bc123a8209f7c21aacea4cd179fbec, - md5=e475b4df3462815ef3e236e9cd58455c, - md5=c421f736d39924daa177a4c8d72c315f, - md5=004d2e20927155de98e4a4cd4a271eea, - md5=389390bf696737deedaaf10a90d407d1, - md5=67b967e4eb8c34fe48b4c4facef16776, - md5=d3106dc883cde0c9e80964f324cfd4fb, - md5=fc1c23ab7a8479c3c60c8d54f0ce0a7d, - md5=9d270c40d2376950525b2b85b35f3911, - md5=0c8aae397ece83d40ebc0d3ebb285d59, - md5=1bc7efa9663c770cac61a55c20419763, - md5=230eb41db9d26ee8da19af13c02d946a, - md5=47742caa2dd028f87a61c7095d1917da, - md5=47d445c17658c27c58df43ab0f2500c1, - md5=a7a90386013a8a7b1eb1d1dc95ed0f6a, - md5=cb4214baafc421dab87cc64513cca45d, - md5=e0a9920aff38a564e76b10cf48540f20, - md5=e4b3fe40e316223441b06f8e7a605006, - md5=efa73efca375de1b486997864d16e5f3, - md5=f0dac46afe6b40cc0450cd898eecaaed, - md5=f994f27f4f43c19c0d5f95aac2eb1523, - md5=08216bb97e4024d039885d86fb3fe768, - md5=c9ad8f950e975cecfc2e85b79326b4f4, - md5=5d59eb5b0a1158db44854acb20b1d9b2, - md5=f7476d98bea0e3acb5a572b506394f41, - md5=cb4db2c54bff1301bb0157911cf55937, - md5=d1b1aaaa2072c95dfe681b5c4426996c, - md5=4b053abf7ef36bbeff8afc149139b104, - md5=4ff4a02e703c272815f6204037636876, - md5=cd4a7eb424ec03389e3750ce8e6aac4f, - md5=72608ab27099a2c5aa87c6e3ed49df89, - md5=e620a93279ab81ab0bd22f22f6625ff6, - md5=cd7417dbef73abe7b90ee0e0f42d8315, - md5=ba4383d3b65713d0c73d207b83604438, - md5=a3976b3c6376c37f94a4d87af90189fb, - md5=a3652cebc8ae0ec570972a598ec133bc, - md5=8d0c0813610ab39eacb983c6b019d344, - md5=840801dafd623e9b283aeceabb4dd5bd, - md5=8363add8daa0ff08dc110d1b95a7ce9d, - md5=82ecfe6e638958645015a160ad52bbe5, - md5=8216c6dfd7f81fc011aff73384189e93, - md5=75568326a8310f5929e78cfbcf62f637, - md5=6d96fc1bc140deceae309109f6a90dcc, - md5=6d5b7404fb4d1642e8178042a71d863e, - md5=624acf32bfbfbbc5945b64f8113d40f3, - md5=57dfd3385b33177edac3bec5c26c626e, - md5=4c5067b01964412c3c17473894314704, - md5=4a8a2d25f6bd10ee1895aa4040d60d25, - md5=437dbf5c3d3058231093d74e68d8eb82, - md5=37a5b97e99c1d2c9bc5500c500c7c79b, - md5=0e96188b34d328c8c6be56cfa0834b32, - md5=224ebe8420eee79b99d8eae13756670e, - md5=83caa65afe19715794d05b79795324c9, - md5=8ae2daf77349acf7a02ee625b145c66e, - md5=ac426123b59715e698ac8ef9634b173d, - md5=1deb7d0b24bab69d57d44f4e444c5aad, - md5=386b79fbc92600f1b9b9a38888aaf801, - md5=9b7879b4d4eaf9961ac4f3b43521d367, - md5=0a7f8233dba3b62e1d36cba78adccf5f, - md5=ab01f085916506cd7118f86c7b4951a4, - md5=4b00ffc9e16eee4009e37ee219d5da2e, - sha1=6d1fe810860f5c0fc96e53ce47ecbcb7d59eead2, - md5=8f018fff7b47dbd3228ea7b5e452d2ef, - sha256=4866772541b5ab893dca6905ee069b119b58778daa45fb673b7361d7b27458d2, md5=d6fca250ec63a8ce79cef6d1f3c779ce, - sha256=d5e9a7fb2f387155994b783e4650277c8f84c6865027ac06d8b2ca6050742139, md5=bdf2913ab8412e9bc4d307b54de6fc60, - md5=6a851b7e10b8a5b6772ba6f75fdd575d, - md5=111707d8ac313aa3d2e257bbbf396452, - md5=a213bc9bc768cdfbe0b6a9b5bca1eaa5, - md5=70d717a07a6df0db8fa222a5719c1ccd, - md5=ccbe6b85ade50d51ea4a65f2c675860d, - md5=8a3436554bae0050c046bab9c9bdc074, - md5=9f06908471c2eb89ee81fb7c11278ef0, - md5=c7857e48c24bea9ed00d6270ae3dc4a5, - md5=73bd4710de18c1f44332055aabaf5554, - md5=fcf3ae9ac375e3355556fbab19d1db34, - md5=a6518e6d370406a1c9f60afcd704b084, - md5=ea88132defc837188b974d09f3391dc7, - md5=9bebf6c1615cc230308ded6279949318, - md5=a2bd3c567dde86e5876190c9089c2902, - md5=56f58a85a3f0012aa0da61b371c07de6, - md5=480a10c530427a583207b22e7483faaa, - md5=befacf17753fbb9bc03101b0af02dbf9, - md5=b3b9e45863ab80de64493284d658fe90, - md5=b119c57a54d03db58a17267b623830e5, - md5=69c3995f3e2534efaa88c71b18359b70, - md5=f7d002b6c231dc8f666dcca6173ed20e, - md5=deaafc6addfc7c4645c576061f7c7594, - md5=dc9474121cb6a50b67c515e90467efe8, - md5=d7433fa375961d463d796294adc77361, - md5=c61ff165e5b0eaafd0d02c6bf5cc7a34, - md5=c0866b81ba733f37ae9ebe95d929146e, - md5=b65029a7f009b73bbc26e0c607229f81, - md5=b0c75c8318f838a6157bc2e0287654dd, - md5=af67118c5ff90dee0ae179391d117b52, - md5=ad467dd17b66723e92c69e2959bef475, - md5=a7241abe1d1908e1384bccc22e212e0d, - md5=a6a4d03b61936f6d7789b6b74b5902d1, - md5=991266388469c81b4b146e566e6d32aa, - md5=8f08915a779fc897900be01eaa970336, - md5=7edec7dad7977dc6f1a34b1ff75004de, - md5=7e1e669b33e8d8eeecac16e7ce8e9a9d, - md5=9ccdb005bd5e80f4a97d0f418afc75f8, - md5=6ac8cbd3e474ac59c5f10a88dfc19267, - md5=69090148e89182e8f392ab21f7b35d87, - md5=622610ff2580908cc254af37982049af, - md5=426f43b04a489b244ba025a63866fe4d, - md5=3a46f84f57f9da198a8cafa9470cb693, - md5=36efdf1c370747df8027125c15b81b0c, - md5=324a35e2364535bedc53b807ed379abd, - md5=2ff8daea615b5fede0b0b5219e618913, - md5=1f44b48ff3382c46ca43e0466f77bb94, - md5=0c03d5237e53facd034b810687726e41, - md5=c954c383b723277d2e30618abc1bff5d, - md5=d52169d0b16239282dc4d860158c8624, - md5=f1e73cfc0f1a405bd0acdbcc3c709176, - md5=6b7d49f13396066b2c58840aeae27c10, - md5=49f2512ac27775758e20e4b0f2b8425c, - md5=9b71ab9e900369da78a512de071c0cfb, - md5=0d5d3abe5a00a5147de76ec1c7c28b02, - md5=8517e1a765272dfd39e933472723b838, - md5=36504945cb1d37a2c3f0670e264c8ca0, - md5=a437a717ab6e26f5b6b848a5a24e043demail: room155@proton[.]me, room155@suit[.]me, help@room155[.]online, firsov[.]sud@mail[.]ruTitle: SparkKitty, SparkCats little brother: A new Trojan spy found in the App Store and Google PlayLink: https://securelist.com/sparkkitty-ios-android-malware/116793/Summary: In January 2025, researchers discovered the SparkCat spyware campaign, which predominantly targets cryptocurrency wallets by embedding malicious software into various applications distributed through official channels like the Google Play and App Store. The spyware activates upon user interaction with a support chat and employs Optical Character Recognition (OCR) to exfiltrate sensitive images, particularly those containing crypto wallet seed phrases, from users' galleries on both iOS and Android platforms. The campaign has evolved, with new variants leveraging modified popular frameworks and libraries to bypass security measures and conduct malicious activities, highlighting the persistent vulnerabilities in app distribution systems and the ongoing risk to users, particularly in Southeast Asia and China.Threats: sparkkitty sparkcatIndicators of compromise:-------------------------ip: 23[.]249[.]28[.]88, 120[.]79[.]8[.]107, 23[.]249[.]28[.]200, 47[.]119[.]171[.]161domain: api[.]fxsdk[.]comurl: https://moabc[.]vip/?dev=az, https://data-sdk2[.]oss-accelerate[.]aliyuncs[.]com/file/SGTMnH951121, https://accgngrid[.]com, https://byteepic[.]vip, http://120[.]78[.]239[.]17:10011/req[.]txt, http://39[.]108[.]186[.]119:10011/req[.]txt, https://dhoss-2023[.]oss-cn-beijing[.]aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh, https://sdk-data-re[.]oss-accelerate[.]aliyuncs[.]com/JMUCe7txrHnxBr5nj[.]txt, https://gitee[.]com/bbffipa/data-group/raw/master/02WBUfZTUvxrTMGjh7Uh, https://ok2025-oss[.]oss-cn-shenzhen[.]aliyuncs[.]com/ip/FM4J7aWKeF8yK, https://file-ht-2023[.]oss-cn-shenzhen[.]aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh, https://afwfiwjef-mgsdl-2023[.]oss-cn-shanghai[.]aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh, https://zx-afjweiofwe[.]oss-cn-beijing[.]aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh, https://dxifjew2[.]oss-cn-beijing[.]aliyuncs[.]com/path/02WBUfZTUvxrTMGjh7Uh, https://1111333[.]cn-bj[.]ufileos[.]com/file/SGTMnH951121, https://tbetter-oss[.]oss-accelerate[.]aliyuncs[.]com/ip/CF4J7aWKeF8yKVKu, https://photo-php-all[.]s3[.]ap-southeast-1[.]amazonaws[.]com/app/domain[.]json, https://c1mon-oss[.]oss-cn-hongkong[.]aliyuncs[.]com/J2A3SWc2YASfQ2, https://tbetter-oss[.]oss-cn-guangzhou[.]aliyuncs[.]com/ip/JZ24J7aYCeNGyKVF2, https://data-sdk[.]oss-accelerate[.]aliyuncs[.]com/file/SGTMnH951121hash: - md5=c5be3ae482d25c6537e08c888a742832, - md5=b4489cb4fac743246f29abf7f605dd15, - md5=e8b60bf5af2d5cc5c501b87d04b8a6c2, - md5=aa5ce6fed4f9d888cbf8d6d8d0cda07f, - md5=3734e845657c37ee849618e2b4476bf4, - md5=fa0e99bac48bc60aa0ae82bc0fd1698d, - md5=e9f7d9bc988e7569f999f0028b359720, - md5=a44cbed18dc5d7fff11406cc403224b9, - md5=2dc565c067e60a1a9656b9a5765db11d, - md5=66434dd4402dfe7dda81f834c4b70a82, - md5=d851b19b5b587f202795e10b72ced6e1, - md5=ce49a90c0a098e8737e266471d323626, - md5=cc919d4bbd3fb2098d1aeb516f356cca, - md5=530a5aa62fdcca7a8b4f60048450da70, - md5=0993bae47c6fb3e885f34cb9316717a3, - md5=5e15b25f07020a5314f0068b474fff3d, - md5=1346f987f6aa1db5e6deb59af8e5744a, - md5=21ef7a14fee3f64576f5780a637c57d1, - md5=6d39cd8421591fbb0cc2a0bce4d0357d, - md5=c6a7568134622007de026d22257502d5, - md5=307a64e335065c00c19e94c1f0a896f2, - md5=fe0868c4f40cbb42eb58af121570e64d, - md5=f9ab4769b63a571107f2709b5b14e2bc, - md5=2b43b8c757c872a19a30dcdcff45e4d8, - md5=0aa1f8f36980f3dfe8884f1c6f5d6ddc, - md5=a4cca2431aa35bb68581a4e848804598, - md5=e5186be781f870377b6542b3cecfb622, - md5=2d2b25279ef9365420acec120b98b3b4, - md5=149785056bf16a9c6964c0ea4217b42b, - md5=931399987a261df91b21856940479634, - md5=8c9a93e829cba8c4607a7265e6988646, - md5=b3085cd623b57fd6561e964d6fd73413, - md5=44bc648d1c10bc88f9b6ad78d3e3f967, - md5=0d7ed6df0e0cd9b5b38712d17857c824, - md5=b0eda03d7e4265fe280360397c042494, - md5=fd4558a9b629b5abe65a649b57bef20c, - md5=1b85522b964b38de67c5d2b670bb30b1, - md5=ec068e0fc6ffda97685237d8ab8a0f56, - md5=f10a4fdffc884089ae93b0372ff9d5d1, - md5=931085b04c0b6e23185025b69563d2ce, - md5=7e6324efc3acdb423f8e3b50edd5c5e5, - md5=8cfc8081559008585b4e4a23cd4e1a7f, - md5=0b7891114d3b322ee863e4eef94d8523, - md5=0d09c4f956bb734586cee85887ed5407, - md5=2accfc13aaf4fa389149c0a03ce0ee4b, - md5=5b2e4ea7ab929c766c9c7359995cdde0, - md5=5e47604058722dae03f329a2e6693485, - md5=9aeaf9a485a60dc3de0b26b060bc8218, - md5=0752edcf5fd61b0e4a1e01371ba605fd, - md5=489217cca81823af56d141c985bb9b2c, - md5=b0976d46970314532bc118f522bb8a6f, - md5=f0460bdca0f04d3bd4fc59d73b52233b, - md5=f0815908bafd88d71db660723b65fba4, - md5=6fe6885b8f6606b25178822d7894ac35email:Title: Hot bait in Taiwan Strait! Wangsai Group combines 0day and ClickOnce technology to conduct espionage activitiesLink: https://www.ctfiot.com/258275.htmlSummary: The Wantshu Organization, designated as APT-Q-14, is a cyber threat actor linked to Northeast Asia and associated with groups within the DarkHotel organization. Discovered utilizing a cross-site scripting (XSS) zero-day vulnerability in a popular email platform, APT-Q-14 has enhanced its phishing tactics, which previously relied on CilckOnce technology, to automate malicious actions when victims interact with phishing emails disguised as notifications from Yahoo Current Affairs News. Their operations include deploying a Trojan file (csrss32.exe) that executes a shellcode to inject a dynamic link library (DLL) for various malicious activities, such as privilege escalation. APT-Q-14 also targets vulnerabilities in Android email applications and has shown advanced knowledge of internal software interfaces, hinting at future disclosures about these vulnerabilities to the open-source community.Threats: wangsai_group apt-q-14_group camouflaged_hunter_group apt-q-15_group darkhotel_group process_injection_technique zipperdown_vulnIndicators of compromise:-------------------------ip: domain: whocanis[.]comurl: https://whocanis[.]com/eu-uk/reent/tivma[.]phphash: - md5=241e18ad3beb6c0ce34060b186822503, - md5=f07bc9e321c736eaa6e90fdfc1b2435a, - md5=f0e0c028909c6c07120ff444ac56a8d8email:Title: Black Hat SEO Poisoning Search Engine Results For AI to Distribute MalwareLink: https://www.zscaler.com/blogs/security-research/black-hat-seo-poisoning-search-engine-results-ai-distribute-malwareSummary: Recent research from Zscaler ThreatLabz has unveiled a cyber threat where AI-themed websites are used for malware distribution, exploiting the popularity of AI tools. Attackers employ Black Hat SEO techniques to manipulate search rankings, increasing the likelihood that users will encounter these malicious sites. The malware variants identified include Vidar Stealer, Lumma Stealer, and Legion Loader, all designed to steal sensitive information. The distribution chain involves a malicious domain, gettrunkhomuto.info, which utilizes a sophisticated JavaScript redirection mechanism and AWS CloudFront to host and execute the malware, complicating detection efforts. The attackers employ disguises, such as password-protected ZIP archives containing seemingly legitimate installers, to deliver payloads, while advanced techniques like DLL sideloading and process hollowing further enhance malware stealth and evasiveness against security measures.Threats: blackseo_technique seo_poisoning_technique lumma_stealer legionloader vidar_stealer dll_sideloading_technique process_hollowing_technique dll_injection_technique process_injection_techniqueIndicators of compromise:-------------------------ip: domain: gettrunkhomuto[.]info, chat-gpt-5[.]ai, ai[.]com, call-2[.]com, metalsyo[.]digital, ironloxp[.]live, navstarx[.]shop, starcloc[.]bet, advennture[.]top, targett[.]top, spacedbv[.]world, galxnetb[.]today, y[.]p[.]forxprime[.]co[.]uk, e[.]p[.]formaxprime[.]co[.]uk, h[.]p[.]formaxprime[.]co[.]uk, p[.]p[.]formaxprime[.]co[.]uk, d[.]p[.]formaxprime[.]co[.]uk, s[.]p[.]formaxprime[.]co[.]uk, r[.]p[.]formaxprime[.]co[.]uk, t[.]p[.]formaxprime[.]co[.]uk, e[.]x[.]formaxprime[.]co[.]uk, kreaai[.]comurl: https://guildish[.]com/diagnostics[.]php, https://steamcommunity[.]com/profiles/76561199832267488hash: - md5=c957adb29755e586ee022244369c375d, - md5=14642e8ffd81298f649e28dc046d84bb, - md5=3583e0cc8f78fd1e65f307d2d8471ad2, - md5=c53eaf734ecc1d81c241ea2ab030a87e, - md5=758625d112c04c094f96afc40eafa894, - md5=ffdaacb43c074a8cb9a608c612d7540bemail:Title: Iranian Educated Manticore Targets Leading Tech AcademicsLink: https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics/Summary: The Iranian threat group Educated Manticore, linked to the Islamic Revolutionary Guard Corps, has ramped up spear-phishing campaigns specifically aimed at Israeli journalists, cybersecurity experts, and academics amidst heightened tensions with Israel. This group, also known as APT42, Charming Kitten, or Mint Sandstorm, utilizes tailored phishing tactics, impersonating credible figures to deceive targets through email and WhatsApp communication. Recent campaigns have incorporated AI-generated content and sophisticated phishing infrastructure, such as modern web technologies and real-time keyloggers, enhancing their ability to gather sensitive information. Despite ongoing efforts to counter these campaigns, Educated Manticore's adaptability and advanced techniques continue to pose a significant threat to individuals situated in Israel.Threats: charming_kitten_group spear-phishing_technique credential_harvesting_technique apt42_group charmpower powerstar powerless greencharlie_groupIndicators of compromise:-------------------------ip: 185[.]130[.]226[.]71, 45[.]12[.]2[.]158, 45[.]143[.]166[.]230, 91[.]222[.]173[.]141, 194[.]11[.]226[.]9, 195[.]66[.]213[.]132, 146[.]19[.]254[.]238, 194[.]11[.]226[.]29, 194[.]11[.]226[.]46, 194[.]61[.]120[.]185, 2[.]56[.]126[.]230, 194[.]11[.]226[.]5domain: conn-ectionor[.]cfd, optio-nalynk[.]online, ques-tion-ing[.]xyz, sendly-ink[.]shop, shaer-likn[.]store, alison624[.]online, bestshopu[.]online, black-friday-store[.]online, idea-home[.]online, book-handwrite[.]online, world-shop[.]online, lenan-rex[.]online, first-course[.]online, reading-course[.]online, make-house[.]online, zra-roll[.]online, tomas-company[.]online, clame-rade[.]online, dmn-for-hall[.]online, word-course[.]online, clothes-show[.]online, expressmarket[.]online, loads-ideas[.]online, sky-writer[.]online, becker624[.]online, adams-cooling[.]online, stadium-fresh[.]online, royalsoul[.]online, live-message[.]online, teammate-live[.]online, wood-house[.]online, ude-final[.]online, city-splash[.]online, door-black-meter[.]online, prt-max[.]online, albert-company[.]online, human-fly900[.]online, dmn-for-car[.]online, good-student[.]online, goods-companies[.]online, pnl-worth[.]online, ricardo-mell[.]online, live-coaching[.]online, wer-d[.]info, spring-club[.]info, all-for-city[.]info, beta-man[.]info, amg-car-ger[.]info, cc-newton[.]info, steve-brown[.]info, connect-room[.]online, live-gml[.]online, roland-cc[.]online, exir-juice[.]online, yamal-group[.]online, live-conn[.]online, online-room[.]online, platinum-cnt[.]info, crysus-h[.]info, lynda-tricks[.]online, message-live[.]online, white-life-bl[.]info, meet-work[.]info, prj-ph[.]info, hrd-dmn[.]info, ntp-clock-h[.]info, work-meeting[.]info, ph-crtdomain[.]info, nsim-ph[.]info, warning-d[.]info, live-meet[.]cloud, live-meet[.]blog, live-meet[.]info, live-meet[.]cfd, live-meet[.]live, network-show[.]online, redirect-review[.]online, arizonaclub[.]me, backback[.]info, cloth-model[.]blog, cook-tips[.]info, network-review[.]xyz, socks[.]beauty, gallery-shop[.]online, network-game[.]xyz, good-news[.]cfd, network-show-a[.]online, panel-network[.]online, panel-redirect[.]online, encryption-redirect[.]online, thomas-mark[.]xyz, rap-art[.]info, anna-blog[.]info, arrow-click[.]info, best85best[.]online, shadow-network[.]best, good-news[.]fashion, warplogic[.]pro, cyberlattice[.]pro, show-verify[.]xyz, top-game[.]online, suite-moral[.]info, nice-goods[.]online, crysus-p[.]info, wash-less[.]online, ptr-cc[.]online, white-car[.]online, live-content[.]online, bracs-lion[.]online, storm-wave[.]online, course-math[.]info, food-tips-blog[.]online, white-life[.]info, ph-work[.]info, normal-dmn[.]info, panel-meeting[.]info, prj-pa[.]info, ntp-clock-p[.]info, nsim-pa[.]info, pa-crtdomain[.]info, infinit-world[.]info, alex-mendez-fire[.]info, reg-d[.]info, everything-here[.]info, healthy-lifestyle[.]fit, alpha-man[.]info, lesson-first[.]info, master-club[.]infourl: https://idea-home[.]online:8569hash: email:Title: ClickFix makes itsway intoRussiaLink: https://bi.zone/eng/expertise/blog/proydite-proverku-i-poluchite-vpo-clickfix-dobralas-do-rossii/Summary: In June 2025, a series of targeted cyber campaigns named ClickFix emerged, primarily affecting the Russian region through sophisticated social engineering techniques. These campaigns involve phishing emails that impersonate reputable organizations, directing users to click on links in PDF files that lead to malicious websites. The primary malware involved, Octowave Loader, masquerades as Squirrel Installer and utilizes multiple components, including a legitimate software installer and steganographically hidden shellcode in a WAV file. Employing advanced techniques like DLL side-loading, Octowave Loader establishes persistence by modifying the Run registry key and creating tasks in the Windows Task Scheduler. It collects system information and transmits it to a command and control server, while executing malicious PowerShell commands structured to facilitate further exploitation.Threats: clickfix_technique fakecaptcha_technique octowave_loader dll_sideloading_technique steganography_techniqueIndicators of compromise:-------------------------ip: 82[.]117[.]87[.]103domain: yasec[.]ru, docrf[.]orgurl: http://82[.]117[.]87[.]103/q?=furrieshash: - sha256=673e826846b40f16508677efe1c7a272865157fb48c1f81ff7975af3b2a3149e, - sha256=b984fc4ba98c3e787eaa7c8bb0def3f704849753bb1a51af816bdc91be24d3e4, - sha256=2c86d226fb4584ca7bd1284600b8c6ea5a1f312de78595b5c22ff6bc1c6522f3, - sha256=3ee3d3d0a515b24f1b104cb8ec1b8d01b5af63c55c9c8424230826b736d70549, - sha256=2ab9b583b5c85b3c2e927d02f7ee316f9e5eaf2db394a8c1d970b428dabe08a0, - sha256=cce5b6dcdfa69e1b1e3d78ec1d3ec09c12861bf95e033d79aabe9bd2d28577ce, - sha256=97b507a8d197ad901b6de1e9042b7ab94b0d263dd6c0852600ac7b80754fd686, - sha256=ef16edc3b8de0f6456b4ecde12a90dc1b1678816390d01d187c73edfbaff2249, - sha256=acbfd3f0768fe1f730c6f93fec4b2a9761c469226d5ac00ca7a15358e656a226, - sha256=0f8635172da61dc6161b428a6b120461b5a9b04165483374b15beca5f0a12bc8, - sha256=e633535706b7654f458ada840be494f7460a8fbfff0078c95dc5785213ba14deemail:Title: Bluenoroff (APT38) real-time infrastructure trackingLink: https://www.ctfiot.com/258665.htmlSummary: North Korean cyber operations, often attributed to the Lazarus Group, present complex challenges due to overlapping naming conventions among various subgroups like APT38, which is financially motivated and linked to the Reconnaissance General Bureau. APT38 has been implicated in significant cyberattacks against financial institutions globally, including the notorious 2016 Bangladesh Bank heist where $81 million was stolen, as well as breaches in 2018 against Bancomext and Banco de Chile. Recently, an investigation revealed specific IP addresses associated with ongoing APT38 activities, including phishing operations and malware communication, specifically targeting macOS systems with malware from the Cosmic Rust family, highlighting the evolving and sophisticated tactics employed by this North Korean hacking group.Threats: bluenoroff_group lazarus_group andariel_group kimsuky_group smn_campaign flame 1mission_campaign dark_seoul_groupIndicators of compromise:-------------------------ip: 104[.]168[.]151[.]116, 140[.]82[.]20[.]246, 156[.]154[.]132[.]200, 198[.]57[.]247[.]218, 198[.]54[.]117[.]242, 104[.]168[.]136[.]24domain: bellezalatam[.]com, amirani[.]chat, firstfromsep[.]online, socialsuport[.]com, gost[.]run, nicrft[.]site, instant-update[.]onlineurl: hash: - sha256=dbe48dc08216850e93082b4d27868a7ca51656d9e55366f2642fc5106e3af980email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
This analysis synthesizes threat intelligence from the provided weekly report summary, focusing only on the actors explicitly described in the context provided.
# Threat Actor: TAG-140 (Associated with Transparent Tribe/APT36)
## Attribution & Identity
* **Primary Identifier:** TAG-140
* **Known Associations:** Linked to **Transparent Tribe (APT36)**. The activity suggests an operational evolution of this threat group.
## Activity Summary
TAG-140 is engaged in a cyber threat campaign employing an updated remote access trojan, **DRAT V2**. This campaign specifically targets **Indian government entities**. The activities show an evolution in malware capabilities, notably a shift to a Delphi architecture and improved C2 obfuscation. The actor utilizes spearphishing for initial access.
## Tactics, Techniques & Procedures
* Spearphishing using HTML applications.
* Exploitation of software vulnerabilities.
* Custom TCP-based command-and-control architecture.
* Deployment of the DRAT V2 RAT.
* Detailed reconnaissance and data exfiltration capabilities.
* Use of basic persistence methods (though noted as potentially challenging for detection).
* *Related Threat Tactic Mentioned:* `spear-phishing_technique`
## Targeting
* **Sectors:** Defense, Railways, and Oil (Indian government entities).
* **Geography:** India (implied by targeting Indian government entities).
* **Victims:** Indian government entities.
## Tools & Infrastructure
* **Malware families used:** DRAT V2 (modified RAT, shifted from .NET to Delphi architecture), previously associated tools like `drat`, `sidecopy_group`, `xenorat`, `curlback`, `spark_rat`, `ares_rat`, `allakore_rat`, `reverserat_rat`.
* **Infrastructure:**
* IPs: 185[.]117[.]90[.]212:7771, 154[.]38[.]175[.]83:3232, 178[.]18[.]248[.]36:6372, 38[.]242[.]149[.]89:61101
* URLs/Domains: email[.]gov[.]in[.]drdosurvey[.]info, https://email[.]gov[.]in[.]drdosurvey[.]info/content/press-releases-ministry-defence-0[.]html, https://trade4wealth[.]in/admin/assets/css/default/index[.]php, https://trade4wealth[.]in/admin/assets/css/Vertical-layout-design/02/ayty[.]ert
## Implications
The evolution to DRAT V2, coupled with a custom C2 protocol and Delphi architecture, suggests a dedicated effort by TAG-140/APT36 to enhance operational security and evasion techniques against targets within the Indian government infrastructure.
## Mitigations
* Focus defensive measures on detecting and blocking spearphishing attempts involving HTML applications.
* Implement network scrutiny for custom TCP protocols, especially outbound traffic to identified C2 infrastructure.
* Harden defenses against exploits targeting software within the defense, railway, and oil sectors.
***
# Threat Actor: UNC5174 Group (Implied Association/Contextual)
*Note: This actor/group was mentioned in the context of the second summary but was not the *primary* focus of that summary, which detailed tool usage and campaign victims rather than full attribution details like motivation.*
## Attribution & Identity
* **Known Aliases/Groups:** UNC5174\_GROUP.
* **Associated Threats:** MeshAgent, SuperShell, WogRAT, Ladon.
## Activity Summary
This actor (or group utilizing these tools) targets domestic Windows and Linux web servers by exploiting file upload vulnerabilities to deploy web shells (e.g., Godzilla, TinyShell) and establish control. Lateral movement and privilege escalation are key phases of operation.
## Tactics, Techniques & Procedures
* Exploiting file upload vulnerabilities.
* Deployment of web shells (ASP, ASPX formats).
* Installation of backdoor (WogRAT).
* Lateral movement via credential theft (capturing NT Hashes).
* Privilege escalation using tools like Ladon/PowerLadon and SweetPotato.
* Network scanning (Fscan).
* Remote command execution via WMI (WMIExec).
## Targeting
* **Sectors:** Organizations utilizing vulnerable Windows and Linux web servers.
* **Geography:** Domestic (implied local/regional focus based on reporting language, not explicitly named).
* **Victims:** Organizations with exposed web servers vulnerable to file upload exploits.
## Tools & Infrastructure
* **Malware families used:** MeshAgent, SuperShell, WogRAT, TinyShell, ReKoobe rootkit, Godzilla webshell, Chinachopper.
* **Tools:** Fscan, Ladon/PowerLadon, SweetPotato, RegEorg, Netstat, WMIExec.
* **Infrastructure:**
* IPs: 108[.]61[.]247[.]121, 66[.]42[.]113[.]183
* Domains: linuxwork[.]net
* URLs: http://139[.]180[.]142[.]127/Invoke-WMIExec[.]ps1, http://45[.]76[.]219[.]39/bb, http://66[.]42[.]113[.]183/acccc
## Implications
This activity indicates a high-impact threat leveraging web server weaknesses for initial access, followed by aggressive internal reconnaissance (NT Hash collection) and privilege escalation, setting the stage for potential ransomware or major data exfiltration.
## Mitigations
* Prioritize patching/securing against file upload vulnerabilities on web servers.
* Implement stringent network monitoring for the use of administrative tools (Netstat, Fscan) or credential theft artifacts internally.
* Restrict or audit the use of WMI for remote process execution unless explicitly required.
***
# Threat Actor: Bluenoroff (APT38 / Lazarus Group Sub-Group)
## Attribution & Identity
* **Primary Identifier:** **Bluenoroff (APT38)**.
* **Known Associations:** Sub-group of the **Lazarus Group**, attributed to North Korea, potentially linked to the Reconnaissance General Bureau (RGB).
* **Related Groups Mentioned:** Andariel Group, Kimsuky Group, DarkSeoul Group.
## Activity Summary
APT38 is a financially motivated North Korean group historically tied to major thefts (e.g., Bangladesh Bank heist). Recent activity shows them shifting tactics, specifically targeting macOS systems using malware from the Cosmic Rust family, associated with ongoing phishing operations and malware communication.
## Historical Activities and Campaigns
* Bangladesh Bank heist (2016, $81 million stolen).
* Breaches against Bancomext and Banco de Chile (2018).
* Campaigns mentioned: **SMN Campaign**, **1Mission Campaign**.
## Tactics, Techniques & Procedures
* Targeting macOS systems.
* Utilization of malware from the **Cosmic Rust** family.
* Conducting phishing operations.
## Targeting
* **Sectors:** Financial institutions (historically).
* **Geography:** Global (implied by historical targets).
* **Victims:** Financial institutions worldwide.
## Tools & Infrastructure
* **Malware families used:** Cosmic Rust (targeting macOS).
* **Infrastructure:**
* IPs: 104[.]168[.]151[.]116, 140[.]82[.]20[.]246, 156[.]154[.]132[.]200, 198[.]57[.]247[.]218, 198[.]54[.]117[.]242, 104[.]168[.]136[.]24
* Domains: bellezalatam[.]com, amirani[.]chat, firstfromsep[.]online, socialsuport[.]com, gost[.]run, nicrft[.]site, instant-update[.]online
## Implications
Bluenoroff/APT38 demonstrates continued sophistication and adaptation by integrating macOS targets into their malware ecosystem, indicating a persistent, state-sponsored focus on high-value financial theft.
## Mitigations
* Implement robust security controls specifically for macOS endpoints, especially related to the Cosmic Rust malware family.
* Maintain vigilance for phishing campaigns originating from identified infrastructure associated with APT38.
***
# Threat Actor: Poseidon Stealer / Odyssey Stealer Operators
*Note: This section covers an actor utilizing an infostealer heavily involved in credential harvesting.*
## Attribution & Identity
* **Primary Identifier:** Operators utilizing **Odyssey Stealer**.
* **Known Aliases:** Odyssey Stealer is reported as a **rebrand of Poseidon Stealer**.
## Activity Summary
This group targets macOS users through a deceptive, kinetic spearphishing approach delivered via typosquatted websites mimicking financial and cryptocurrency domains. The primary goal is credential and sensitive data theft using the Odyssey Stealer payload.
## Tactics, Techniques & Procedures
* Utilizing the **Clickfix technique** for delivery.
* Employing typosquatted domains to lure victims.
* Deceptive kinetic approach forcing user execution of malicious AppleScripts.
* Data exfiltration capability managed via the C2 structure.
## Targeting
* **Sectors:** Financial and Cryptocurrency users.
* **Geography:** Unspecified, but targeting localized financial interests (via domain mimicry).
* **Victims:** Users of cryptocurrency wallets, specifically mentioning **Electrum** and **MetaMask**.
## Tools & Infrastructure
* **Malware families used:** Odyssey Stealer (rebrand of Poseidon Stealer).
* **Infrastructure:** Not detailed in the truncated summary, but associated with C2 structure for data management.
## Implications
The evolution to Odyssey Stealer and the use of the Clickfix technique highlight a focus on bypassing common endpoint security controls specifically targeting high-value cryptocurrency assets on macOS platforms.
## Mitigations
* Strong user education regarding typosquatted domains, especially in the cryptocurrency/finance space.
* Restrict or scrutinize the execution of complex scripts delivered via browser download pathways, particularly on macOS.
* Harden configurations for cryptocurrency wallet applications like Electrum and MetaMask.